A brief description summarizing the overall purpose and objectives of the position and the results the worker is expected to accomplish.
The Security Governance, Risk, and Compliance (GRC) Specialist will be responsible for ensuring proper implementation of new and existing security controls for the enterprise, as well as developing and implementing new security standards and policies. This position will provide support and guidance to Information Technology and Information Security Teams regarding risk and compliance activities.
The tasks, duties, and responsibilities of the position that are most important to get the job done.
- Assist in the development, implementation, and maintenance of security policies, standards, and procedures;
- Facilitate the implementation of controls and associated processes and procedures;
- Partner with IT and other business units to enhance enterprise awareness of IT security requirements/controls;
- Assist in the development, implementation and maintenance of controls, programs and tools to meet security compliance requirements across critical business functions and within IT;
- Work directly with internal teams to provide guidance and documentation for risk management activities of current and future IT controls;
- Perform control processes where Information Security is the control owner;
- Perform other tasks related to developing, monitoring, and assessing the effectiveness of IT security controls as assigned;
- Track security deficiencies through the documentation of findings, monitor the follow through the remediation, and validate closure to increase the security maturity of the security program and reduce overall risk;
- Communicate the overall status of assessments and associated remediation plans and exceptions;
- Assist in the support of internal IT audits to ensure adherence;
- Review vendor risk assessments to assist in the overall vendor compliance risk management process;
- Partner with business units to better understand how security can be applied in a dynamic and evolving organization;
- Serve as an information security liaison to business units and third parties to create and/or provide feedback on items assigned or influenced by the team;
- Promote information security awareness through awareness and education programs;
- Perform other tasks as needed in the development, implementation and maintenance of controls, activities and tools to continue the evolution of the information security program;
- Other duties, not listed, may be assigned by the Director, Information Security.
KNOWLEDGE, SKILLS AND ATTRIBUTES
The specific minimum competencies required for job performance.
- Ability to work on several tasks simultaneously and pay attention to sources of information from inside and outside to make appropriate assessments and decisions;
- Solid understanding of the ISO 27001/27002, NIST 800, NIST CSF frameworks, risk assessment, control analysis and audit methodologies;
- Must be organized, detail-oriented, deadline-driven, and able to handle multiple responsibilities in a fast-paced environment;
- Ability to work with wide range of people and to take responsibility and function under minimal supervision;
- Ability to think strategically, with good interpersonal and organization skills;
- Strong communication, consultative, and presentation skills;
- Has knowledge of commonly-used cybersecurity concepts, practices, and procedures.
The scope of the person’s authority, including a list of jobs that report to the incumbent.
This position has no supervisory responsibilities
The environment in which the job is performed, especially any unique conditions outside a normal office environment.
- Consistent with that of a normal office environment;
- Ability to routinely lift up to 50 lbs;
- Infrequent travel to all PDC offices required (~10%).
The minimum level of education, experience, and certifications required to perform the job.
- Bachelor’s degree required;
- Minimum of 5 years’ experience in information security, information technology, compliance or audit;
- Minimum of 2 years’ direct experience in an information security, compliance or audit specific role;
- Industry certifications such as: CISSP, CISM, CISA, SSCP, CRISC, or CGEIT.